In the last two parts , Local Port Forwarding and Remote Port Forwarding , we covered the two main directions of SSH port forwarding: local and remote. Those are the ones most people struggle with at first, but once you understand them, everything else falls into place. The next type of SSH tunnel builds on what you already learned about local forwarding, but adds an intermediate step.

Instead of forwarding traffic directly to the SSH server, we forward it through a machine that sits between you and the actual target. This intermediate machine is commonly known as a bastion host.

SSH Proxy Tunnel (Forwarding Through an Intermediate Server)

So here is how it looks like, one machine is exposed to the outside world, while the internal systems sit protected behind it. For most of the part, you can only reach the bastion host directly. The internal systems are hidden away, inaccessible from the public internet. Since the bastion host has access to those internal systems, it becomes our gateway into the private network. So we can make use of ssh local port forwarding to reach those internal systems through the bastion host.

So here is how it works: you open a local port on your laptop, just like standard local forwarding. But instead of sending that traffic directly to the SSH server, you tell SSH to forward it further into the internal network, to a machine that only the bastion host can reach.

To make this clearer, here’s a visual representation of how local port forwarding works when a bastion host sits between you and the internal machine:

Let’s demonstrate this in the lab.

Lab Setup

So for this I have setup 3 machines:

• The client machine (192.168.56.10 ) where I’ll run my SSH command and open the tunnel.

• The bastion host (192.168.56.11) which I’ll connect to via SSH.

• The internal machine (192.168.57.11) that I want to reach through the bastion host.